diff options
Diffstat (limited to 'tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment')
-rw-r--r-- | tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment | 33 |
1 files changed, 0 insertions, 33 deletions
diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment deleted file mode 100644 index 6a15cd2..0000000 --- a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment +++ /dev/null @@ -1,33 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="Unreproducible here (Firefox ESR 45.0.1)" - date="2016-04-07T16:32:37Z" - content=""" -Keys are properly pinned here - - 1. Close the browser - 2. Remove all mentions of `fripost.org` in `~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt`: - - ~$ sed -i -r '/^(\S+\.)?fripost\.org:/d' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt - - 3. Start the browser (without HSTS or HPKP knowledge for `fripost.org` or any of its subdomains) - 4. Open `https://mail.fripost.org/` in a new tab - 5. (After waiting a few seconds to let firefox flush the data.) The - HSTS policy and the two pins appear in the file: - - ~$ grep -E '^(\S+\.)?fripost\.org:' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt - mail.fripost.org:HSTS 0 16898 1475812232563,1,1 - mail.fripost.org:HPKP 0 16898 1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w= - - There is no warning in the log, either. - -The root CA (*DST Root CA X3*) appear in Firefox's CA store as a \"Builtin Object Token\", while the intermediate CA (*Let's Encrypt Authority X3*) is supplied by the server and automatically stored by Firefox as a \"Software Security Device\". - -Do you have default settings for the `security.cert_pinning.*` [tunables](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)? - - security.cert_pinning.enforcement_level = 1 - security.cert_pinning.process_headers_from_non_builtin_roots = false - -Please also verify that you have no weird non-default tunables for `security.*`. -"""]] |